Loading ...

Play interactive tourEdit tour

Windows Analysis Report Y0K4O5JTDz

Overview

General Information

Sample Name:Y0K4O5JTDz (renamed file extension from none to dll)
Analysis ID:449025
MD5:d1253fcbf6ae056cff716ff6670c2c11
SHA1:68a6945ac7d27651b221ba0ad10b9c3ae8c878f8
SHA256:e2e8a185580a5831bd7ddfcbed30cb21965cfb3bd546b4cffd85dc886671aeea
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4244 cmdline: loaddll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 1124 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 240 cmdline: rundll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 4708 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5872 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 2736 cmdline: rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Connectdark MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 3216 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6104 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5780 cmdline: rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Mindlake MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 4944 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2172 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5108 cmdline: rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Porthigh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 1536 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5908 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 1488 cmdline: rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Problemscale MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5252 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4952 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 3440 cmdline: rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,WingGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 4960 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3088 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4628 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 2160 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Y0K4O5JTDz.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.518987950.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
      00000000.00000002.472801964.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        00000010.00000002.475060646.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          00000002.00000002.476449886.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            00000015.00000002.493394816.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.6e1e0000.0.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  13.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                    16.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                      24.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                        Click to see the 2 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: Y0K4O5JTDz.dllAvira: detected
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: Y0K4O5JTDz.dllVirustotal: Detection: 72%Perma Link
                        Source: Y0K4O5JTDz.dllReversingLabs: Detection: 85%
                        Source: Y0K4O5JTDz.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: Y0K4O5JTDz.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.472845462.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507896542.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.501774498.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.519376023.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.498806396.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.514815265.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.506322569.000000006E26A000.00000002.00020000.sdmp, Y0K4O5JTDz.dll

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: Y0K4O5JTDz.dll, type: SAMPLE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000D.00000002.518987950.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.472801964.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.475060646.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.476449886.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.493394816.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.473300457.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.474907412.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: loaddll32.exe, 00000000.00000002.472752566.0000000000B2B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        E-Banking Fraud:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: Y0K4O5JTDz.dll, type: SAMPLE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000D.00000002.518987950.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.472801964.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.475060646.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.476449886.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.493394816.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.473300457.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.474907412.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E223E000_2_6E223E00
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E221C3C0_2_6E221C3C
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2567D90_2_6E2567D9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2484BB0_2_6E2484BB
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2602BC0_2_6E2602BC
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2503960_2_6E250396
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23E0790_2_6E23E079
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2351500_2_6E235150
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E223E002_2_6E223E00
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E221C3C2_2_6E221C3C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2567D92_2_6E2567D9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2484BB2_2_6E2484BB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2602BC2_2_6E2602BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2503962_2_6E250396
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E23E0792_2_6E23E079
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2351502_2_6E235150
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E220990 appears 34 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E2200AC appears 100 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E220990 appears 34 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E2200AC appears 100 times
                        Source: Y0K4O5JTDz.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: classification engineClassification label: mal64.troj.winDLL@55/0@0/0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:256:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1084:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_01
                        Source: Y0K4O5JTDz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Connectdark
                        Source: Y0K4O5JTDz.dllVirustotal: Detection: 72%
                        Source: Y0K4O5JTDz.dllReversingLabs: Detection: 85%
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll'
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll',#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Connectdark
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll',#1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Mindlake
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Porthigh
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,Problemscale
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,WingGrass
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll',#1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,ConnectdarkJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,MindlakeJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,PorthighJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,ProblemscaleJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y0K4O5JTDz.dll,WingGrassJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: Y0K4O5JTDz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: Y0K4O5JTDz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: Y0K4O5JTDz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: Y0K4O5JTDz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Y0K4O5JTDz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: Y0K4O5JTDz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: Y0K4O5JTDz.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Y0K4O5JTDz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.472845462.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507896542.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.501774498.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.519376023.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.498806396.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.514815265.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.506322569.000000006E26A000.00000002.00020000.sdmp, Y0K4O5JTDz.dll
                        Source: Y0K4O5JTDz.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: Y0K4O5JTDz.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: Y0K4O5JTDz.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: Y0K4O5JTDz.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: Y0K4O5JTDz.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: Y0K4O5JTDz.dllStatic PE information: real checksum: 0xf3990 should be: 0xf8335
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2209D6 push ecx; ret 0_2_6E2209E9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220075 push ecx; ret 0_2_6E220088
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2209D6 push ecx; ret 2_2_6E2209E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E220075 push ecx; ret 2_2_6E220088

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: Y0K4O5JTDz.dll, type: SAMPLE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000D.00000002.518987950.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.472801964.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.475060646.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.476449886.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.493394816.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.473300457.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.474907412.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeAPI coverage: 9.0 %
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.9 %
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E241F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E24966F mov eax, dword ptr fs:[00000030h]0_2_6E24966F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E24966F mov eax, dword ptr fs:[00000030h]2_2_6E24966F
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E241F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E2207A7
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E220288
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E241F6D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E2207A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6E220288
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y0K4O5JTDz.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: loaddll32.exe, 00000000.00000002.472770851.0000000001160000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.475426616.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472311664.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.518770463.0000000003410000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.474127173.0000000003A70000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.488597441.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.473979902.0000000003610000.00000002.00000001.sdmpBinary or memory string: Program Manager
                        Source: loaddll32.exe, 00000000.00000002.472770851.0000000001160000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.475426616.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472311664.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.518770463.0000000003410000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.474127173.0000000003A70000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.488597441.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.473979902.0000000003610000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: loaddll32.exe, 00000000.00000002.472770851.0000000001160000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.475426616.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472311664.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.518770463.0000000003410000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.474127173.0000000003A70000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.488597441.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.473979902.0000000003610000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: loaddll32.exe, 00000000.00000002.472770851.0000000001160000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.475426616.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472311664.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.518770463.0000000003410000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.474127173.0000000003A70000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.488597441.0000000003610000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.473979902.0000000003610000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220604 cpuid 0_2_6E220604
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E25DF65
                        Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6E25DD96
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E253952
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E25E61F
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6E25E6EC
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E25E518
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E254323
                        Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoEx,0_2_6E21F364
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E25E3EF
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E25E00E
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E25E077
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E25E112
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E21F1B7
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6E25E19F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E25DF65
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_6E25DD96
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E253952
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E25E61F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_6E25E6EC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6E25E518
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E254323
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,2_2_6E21F364
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E25E3EF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E25E00E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E25E077
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E25E112
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E21F1B7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_6E25E19F
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E209A14 GetSystemTimeAsFileTime,0_2_6E209A14
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E258951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_6E258951

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: Y0K4O5JTDz.dll, type: SAMPLE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000D.00000002.518987950.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.472801964.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.475060646.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.476449886.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.493394816.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.473300457.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.474907412.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY

                        Remote Access Functionality:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: Y0K4O5JTDz.dll, type: SAMPLE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000D.00000002.518987950.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.472801964.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.475060646.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.476449886.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.493394816.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.473300457.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.474907412.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_6E1E16BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,2_2_6E1E16BC

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 449025 Sample: Y0K4O5JTDz Startdate: 15/07/2021 Architecture: WINDOWS Score: 64 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected  Ursnif 2->63 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 5 other processes 9->17 process5 19 rundll32.exe 11->19         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 cmd.exe 1 17->29         started        31 cmd.exe 1 17->31         started        33 cmd.exe